Strong Customer Authentication

What internet businesses need to know about the new European regulation

Michael Cocoman & Olivier Godement

Michael Cocoman is Head of Regulatory at Stripe and works on expanding our global product offering. Olivier Godement is a Product Manager at Stripe who drives authentication efforts to help businesses prepare for Strong Customer Authentication.

Introduction

In this guide we’ll take a closer look at these new requirements known as Strong Customer Authentication (SCA) and the kinds of payments they impact. In addition we’ll cover the exemptions that can be used for low-risk transactions to offer a frictionless checkout experience.

We’ve published a separate page with the latest information on the SCA enforcement timeline, as well as a guide to help you identify when to add authentication in your customer journey. Visit our site for more information on Stripe’s SCA-ready products.

Stay updated on Strong Customer Authentication

We’re working closely with policymakers, regulators, and the wider payments industry to make any changes as seamless as possible. Sign up to stay informed on regulatory and product updates.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.

Banks will need to start declining payments that require SCA and don’t meet these criteria. Although we anticipate a phased and fragmented enforcement of SCA across countries, we expect the first banks to start declining payments without two-factor authentication on 14 September 2019.

When is Strong Customer Authentication required?

Strong Customer Authentication applies to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers require SCA. Recurring direct debits on the other hand are considered “merchant-initiated” and don’t require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.

How to authenticate a payment

Currently, the most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European cards. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).

3D Secure 2—the new version of the authentication protocol rolling out in 2019—will be the main method for authenticating online card payments and meeting the new SCA requirements. This new version introduces a better user experience that will help minimise some of the friction that authentication adds into the checkout flow.

Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for businesses to offer a frictionless checkout experience while meeting the new requirements.

We also expect many common European payment methods, such as iDEAL, Bancontact, or Multibanco, to follow the new SCA rules without any major changes to their user experience.

Exemptions to Strong Customer Authentication

Under this new regulation, specific types of low-risk payments may be exempted from Strong Customer Authentication. Payment providers like Stripe are able to request these exemptions when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or whether authentication is still necessary.

Building authentication into your checkout flow introduces an extra step that can add friction and increase customer drop-off. Using exemptions for low-risk payments can reduce the number of times you will need to authenticate a customer and reduce friction. We have designed our new SCA-ready payments products to let you take advantage of exemptions when possible to help protect your conversion.

The most relevant exemptions for internet businesses are:

Low-risk transactions

A payment provider (like Stripe) is allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed the following thresholds:

0.13% to exempt transactions below €100

0.06% to exempt transactions below €250

0.01% to exempt transactions below €500

These thresholds will be converted to local equivalent amounts where relevant.

In cases, where only the payment provider’s fraud rate is below the threshold, but the cardholder’s bank is above it, we expect the bank to decline the exemption and require authentication.

We expect this to be one of the most useful exemptions for businesses and one of the most widely supported by banks. Stripe Radar’s comprehensive, real-time risk assessment allows us to support this exemption for our users.

Payments below €30

This is another exemption that can be used for payments of a low amount. Transactions below €30 are considered “low value” and may be exempted from SCA. Banks however need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank needs to track the number of times this exemption has been used and decide whether authentication is necessary.

Due to the strict limitations of this exemption, we expect the low-risk transaction exemption to be more relevant for most payments. We do, however, support this exemption for our users.

Fixed-amount subscriptions

This exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business. SCA is required for the customer’s first payment—subsequent charges however may be exempted from SCA.

We expect this exemption to be very useful for subscription businesses and broadly supported by European banks. We enable this exemption for Stripe users. If you’re using Stripe Billing to create subscriptions, we automatically apply this exemption when relevant and can help manage authentication requests in case the exemption is rejected by the customer’s bank.

Merchant-initiated transactions (including variable subscriptions)

Payments made with saved cards when the customer is not present in the checkout flow (sometimes called “off-session”) may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a “merchant-initiated transaction” is be similar to requesting an exemption. And like any other exemption, it is still up to the bank to decide whether authentication is needed for the transaction.

To use merchant-initiated transactions, you need to authenticate the card either when it’s being saved or on the first payment. Finally, you need to get an agreement from the customer (also referred to as a “mandate”), in order to charge their card at a later point.

This is a vital use case for business models that rely on delayed payments, charge variable amount subscriptions, or bill for add-ons. We expect it to be supported by most European banks and accepted if the transaction is considered low-risk by the bank.

Stripe's new API lets you authenticate a card when it's being saved for later use and mark subsequent payments as "merchant-initiated transactions."

Trusted beneficiaries

When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses are then included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.

While whitelisting has the potential to make repeat purchases or subscriptions more convenient for customers, so far the adoption of this feature among banks has been slow. We expect that it is not broadly supported by banks yet, but support this exemption for our users when available.

Phone sales

Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as “Mail Order and Telephone Orders” (MOTO). Similar to exempted payments, MOTO transactions need to be flagged as such—with the cardholder’s bank making the final decision to accept or reject the transaction.

If your business is PCI-compliant and you’ve built your own system to accept phone orders, our new payments APIs let you mark a payment as MOTO. Please contact us to enable this feature on your Stripe account and to access the technical documentation.

Corporate payments

This exemption may cover payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).

We expect this exemption to have low practical use outside of the travel industry due to its very narrow scope. The exemption itself can only be requested by the cardholder’s bank, as neither the business, nor payment providers (like Stripe) are able to detect whether a card belongs in these categories.

What happens if an exemption fails?

While exemptions may be very useful, it’s important to remember that it’s ultimately the cardholder’s bank that decides whether or not to accept an exemption. Banks can return new decline codes for payments that failed due to missing authentication. These payments then have to be resubmitted to the customer with a request for Strong Customer Authentication. Stripe’s SCA-ready products automatically trigger this extra authentication when required by banks.

If your business is impacted by SCA, we recommend preparing for a fallback in case an exemption is rejected and your customer needs to authenticate. This is particularly important if you charge your customers when they’re not actively in your checkout flow (i.e., when they are off-session) and your customer needs to return to your website or app to authenticate. Read our guide on designing payment flows for SCA for more information.

How Stripe helps you meet for Strong Customer Authentication requirements

The changes introduced by this new regulation are set to deeply affect internet commerce in Europe. And although enforcement is expected to be fragmented and phased, impacted businesses that don’t prepare for these new requirements could see their conversion rates significantly drop once SCA is enforced.

In addition to supporting new authentication methods like 3D Secure 2, we believe successful handling of exemptions is a key component for building a first-class payments experience that minimises friction.
Our new payments products optimise for different regulatory, bank, and card network rules and apply relevant exemptions for low-risk payments, so as to only trigger 3D Secure when required. And as these rules change, we’ll be able to maintain and update this SCA logic in real time—taking into account each country’s enforcement timeline.

Our new payments products will optimise for different regulatory, bank, and card network rules and apply relevant exemptions for low-risk payments to only trigger 3D Secure when required. And as these rules change, we’ll be able to maintain and update this SCA logic in real time.

We have released a new foundational payments API that uses Stripe’s SCA logic to apply the right exemption and trigger 3D Secure when necessary. Our new Checkout, as well as Stripe Billing are both built on top of this API and can dynamically apply 3D Secure when required.